Keys to Use in Your Queries
Also referred to as fields, keys define the data in your logs. Each event type contains a specific set of keys. Keys are the constant, while the values of a key can vary.
This topic contains the list of keys that occur in each standard event type in InsightIDR. This is known as the schema; the data structure that allows data to be read by the application.
It is helpful to know which keys you want to search in Log Search, so that you can create queries on the key-value pair and easily find the data you need for your investigation.
It is also helpful to know which type of data the values are presented in–are they strings, timestamps, or numbers, for example–so that you can create precise queries to search them.
Most event types go to both Log Search and the Detection Engine, however, some event types are solely detection-based. There are also some schemas that do not have associated event types, which are part of the Audit Log.
Log Search and detection-based event types
All event types contain keys that can be referenced in your Log Search queries. The lists under each event type display one key on each line and the format of its corresponding value.
For example, "action": "STRING" refers to a field or key named 'action' and the type of data it contains-in this case, it's a string of alphanumeric characters.
When you know which key you want to investigate, you can find the corresponding log set to select in Log Search.
This section contains the event types and keys that correspond to the log sets that are visible in Log Search. It also includes the event types and keys that inform the logic on which Detection Rules are created.
In the user interface, the Rules Logic tab of the Detection Rules screen specifies the source event type that the detection rule will monitor. For example, look at the from parameter in the rule logic.
The order of keys in the list
This documentation lists the event type keys in alphabetical order for easy reference. The user interface may show them in a different order.
The keys are presented in a list format, which shows parent fields and child fields where they exist. This can help you to search keys by using the query syntax where(parentfield.childfield="value").
Active Directory Admin Activity
ad_admin
| Key | Value format |
|---|---|
| action | STRING |
| group | STRING |
| group_domain | STRING |
| group_scope | STRING |
| r7_context | |
| source_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| target_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| source_account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| target_account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_account | STRING |
| source_asset | STRING |
| source_data | STRING |
| source_json | {} |
| source_user | STRING |
| source_user_domain | STRING |
| target_account | STRING |
| target_user | STRING |
| target_user_domain | STRING |
| timestamp | TIMESTAMP |
Active Directory Admin Activity event type code block
Advanced Malware Alert
advanced_malware
| Key | Value format |
|---|---|
| asset | STRING |
| alert_name | STRING |
| custom_data | {} |
| destination_address | STRING |
| destination_port | STRING |
| destination_user | STRING |
| destination_user_domain | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| protocol | STRING |
| r7_context | |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| secondary_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| secondary_asset | STRING |
| severity | STRING |
| signature_name | STRING |
| source_address | STRING |
| source_data | STRING |
| source_port | STRING |
| source_user | STRING |
| source_user_domain | STRING |
| timestamp | TIMESTAMP |
Advanced Malware Alert event type code block
Asset Authentication
asset_auth
| Key | Value format |
|---|---|
| destination_account | STRING |
| destination_account_sid | STRING |
| destination_asset | STRING |
| destination_asset_address | STRING |
| destination_domain | STRING |
| destination_local_account | STRING |
| destination_user | STRING |
| logon_type | STRING |
| new_authentication | STRING |
| new_source_authentication | STRING |
| new_source_for_account | STRING |
| r7_context | |
| source_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| destination_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| result | STRING |
| service | STRING |
| source_account | STRING |
| source_asset | STRING |
| source_asset_address | STRING |
| source_data | STRING |
| source_domain | STRING |
| source_json | {} |
| source_user | STRING |
| timestamp | TIMESTAMP |
Asset Authentication event type code block
Cloud Service Activity
cloud_service_activity
| Key | Value format |
|---|---|
| action | STRING |
| service | STRING |
| source_account | STRING |
| source_json | {} |
| source_user | STRING |
| timestamp | TIMESTAMP |
| user_agent | STRING |
Cloud Service Activity event type code block
Cloud Service Admin Activity
cloud_service_admin
| Key | Value format |
|---|---|
| action | STRING |
| service | STRING |
| source_account | STRING |
| source_json | {} |
| source_user | STRING |
| target_account | STRING |
| target_user | STRING |
| timestamp | TIMESTAMP |
| user_agent | STRING |
Cloud Service Admin Activity event type code block
DNS Query
dns
| Key | Value format |
|---|---|
| asset | STRING |
| custom_data | {} |
| dns_server_port | STRING |
| dns_server_address | STRING |
| public_suffix | STRING |
| query | STRING |
| query_blocked | STRING |
| query_class | STRING |
| query_type | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_address | STRING |
| source_data | STRING |
| source_port | STRING |
| top_private_domain | STRING |
| timestamp | TIMESTAMP |
| user | STRING |
| observation_count | NUMERIC |
| first_observed_time | TIMESTAMP |
| last_observed_time | TIMESTAMP |
| user_domain | STRING |
This event type contains deduplicated data.
DNS Query event type code block
Endpoint Activity
Process Start Event
process_start_event
| Key | Value format |
|---|---|
| dns_domain | STRING |
| duplicated_events | LONG |
| endpoint_id | STRING |
| endpoint_vendor | STRING |
| env_vars | |
| var | STRING |
| val | STRING |
| parent_val | STRING |
| hostname | STRING |
| os_type | STRING |
| parents_process | |
| account_domain | STRING |
| addr | STRING |
| cmd_line | STRING |
| egid | NUMERIC |
| egid_name | STRING |
| euid | NUMERIC |
| euid_name | STRING |
| exe_file | |
| author | STRING |
| countersigning_chain | |
| subject | STRING |
| issue | STRING |
| thumbprint | STRING |
| created | STRING |
| description | STRING |
| gid | NUMERIC |
| group | STRING |
| hashes | |
| md5 | STRING |
| sha256 | STRING |
| sha1 | STRING |
| internal_name | STRING |
| last_accessed | STRING |
| last_modified | STRING |
| orig_filename | STRING |
| owner | STRING |
| permissions | STRING |
| product_name | STRING |
| signing_chain | |
| subject | STRING |
| issuer | STRING |
| thumbprint | STRING |
| signing_status | STRING |
| size | LONG |
| uid | NUMERIC |
| version | STRING |
| exe_path | STRING |
| fsgid | NUMERIC |
| fsuid | NUMERIC |
| gid | NUMERIC |
| group | STRING |
| hash_reputation | |
| engine_count | NUMERIC |
| engine_match | NUMERIC |
| engine_percent | DOUBLE |
| first_analyzed_time | STRING |
| reliability | STRING |
| reputation | STRING |
| threat_level | STRING |
| img_path | STRING |
| name | STRING |
| pid | NUMERIC |
| port | NUMERIC |
| ppid | NUMERIC |
| r7_id | STRING |
| rgid | NUMERIC |
| rgid_name | STRING |
| ruid | NUMERIC |
| ruid_name | STRING |
| session | NUMERIC |
| sgid | NUMERIC |
| start_time | STRING |
| suid | NUMERIC |
| uid | NUMERIC |
| username | STRING |
| process | |
| account_domain | STRING |
| addr | STRING |
| cmd_line | STRING |
| egid | NUMERIC |
| egid_name | STRING |
| euid | NUMERIC |
| euid_name | STRING |
| exe_file | |
| author | STRING |
| countersigning_chain | |
| subject | STRING |
| issuer | STRING |
| thumbprint | STRING |
| created | STRING |
| description | STRING |
| gid | NUMERIC |
| group | STRING |
| hashes | |
| md5 | STRING |
| sha256 | STRING |
| sha1 | STRING |
| internal_name | STRING |
| last_accessed | STRING |
| last_modified | STRING |
| orig_filename | STRING |
| owner | STRING |
| permissions | STRING |
| product_name | STRING |
| signing_chain | |
| subject | STRING |
| issuer | STRING |
| thumbprint | STRING |
| signing_status | STRING |
| size | LONG |
| uid | NUMERIC |
| version | STRING |
| exe_path | STRING |
| fsgid | NUMERIC |
| fsuid | NUMERIC |
| gid | NUMERIC |
| group | STRING |
| hash_reputation | |
| engine_count | NUMERIC |
| engine_match | NUMERIC |
| engine_percent | DOUBLE |
| first_analyzed_time | STRING |
| reliability | STRING |
| reputation | STRING |
| threat_level | STRING |
| img_path | STRING |
| name | STRING |
| pid | NUMERIC |
| port | NUMERIC |
| r7_id | STRING |
| rgid | NUMERIC |
| rgid_name | STRING |
| ruid | NUMERIC |
| ruid_name | STRING |
| session | LONG |
| sgid | NUMERIC |
| start_time | STRING |
| suid | NUMERIC |
| uid | NUMERIC |
| username | STRING |
| r7_hostid | STRING |
Endpoint Activity, process_start_event event type code block
Netbios Poisoning
netbios_poisoning
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| poisoner_asset | STRING |
| observing_asset | STRING |
| poisoner_address | STRING |
| protocol | STRING |
| queried_hostname | STRING |
| source_json | |
| protocol | STRING |
| poisonerAddresses | STRING |
| queriedHostname | STRING |
| agentHostname | STRING |
| r7_context | |
| poisoner_asset | |
| type | STRING |
| rrn | RRN |
| name | STRING |
| observing_asset | |
| type | STRING |
| rrn | RRN |
| name | STRING |
Endpoint Activity, netbios_poisoning event type code block
Local Service Creation
local_service_creation
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| asset | STRING |
| service_name | STRING |
| service_cmdline | STRING |
| source_json | |
| sourceName | STRING |
| insertionStrings | STRING |
| eventCode | STRING |
| computerName | STRING |
| sid | STRING |
| isDomainController | STRING |
| eventData | STRING |
| timeWritten | TIMESTAMP |
| r7_context | |
| asset | |
| type | STRING |
| rrn | RRN |
| name | STRING |
Endpoint Activity, local_service_creation event type code block
Sysmon
sysmon
InsightIDR collects these Sysmon event IDs from Microsoft:
- Network Connection
- Create Remote Thread
- Process Access
- Registry Event
- Process Tampering
Depending on which event ID is collected, the shape of the event object will differ. The event object is defined by Microsoft and passed to InsightIDR. To learn more, read Microsoft’s documentation at: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Note: geoip lookups will only be populated for events with external IP addresses, for example, Network Connection events.
| Key | Value format |
|---|---|
| hostname | STRING |
| dns_domain | STRING |
| r7_hostid | STRING |
| os_type | STRING |
| event_id | NUMBER |
| event_name | STRING |
| event_provider | STRING |
| event | OBJECT |
| r7_context | OBJECT |
| geoip_ip | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
Sysmon event type code block
Endpoint Health
Job Status
job_status
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| job | STRING |
| hostname | STRING |
| status | STRING |
| message | STRING |
| invocation_id | STRING |
| events_reported | NUMERIC |
| queued_time | TIMESTAMP |
| started_time | TIMESTAMP |
| finished_time | TIMESTAMP |
| r7_context | |
| asset | |
| rrn | STRING |
| name | STRING |
| type | STRING |
| r7_hostid | STRING |
| source_json | OBJECT |
Endpoint Health, job_status event type code block
File Access Activity
file_access
| Key | Value format |
|---|---|
| access_types | STRING |
| account | STRING |
| file_extension | STRING |
| file_name | STRING |
| file_path | STRING |
| file_share | STRING |
| service | STRING |
| source_address | STRING |
| source_asset | STRING |
| source_json | {} |
| target_address | STRING |
| timestamp | TIMESTAMP |
| user | STRING |
File Access Activity event type code block
File Modification Activity
file_modification
| Key | Value format |
|---|---|
| account | STRING |
| asset | STRING |
| asset_address | STRING |
| asset_os_family | STRING |
| file_event | STRING |
| file_extension | STRING |
| file_name | STRING |
| file_path | STRING |
| process | STRING |
| process_id | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
File Modification Activity event type code block
Firewall Activity
firewall
| Key | Value format |
|---|---|
| asset | STRING |
| community_id | STRING |
| connection_status | STRING |
| custom_data | {} |
| destination_address | STRING |
| destination_port | STRING |
| direction | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| incoming_bytes | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| outgoing_bytes | STRING |
| source_address | STRING |
| source_data | STRING |
| source_json | {} |
| source_port | STRING |
| transport_protocol | STRING |
| timestamp | TIMESTAMP |
| user | STRING |
| observation_count | NUMERIC |
| first_observed_time | TIMESTAMP |
| last_observed_time | TIMESTAMP |
This event type contains deduplicated data.
Firewall Activity event type code block
Host To IP Observations
host_name_to_ip
| Key | Value format |
|---|---|
| account | STRING |
| account_domain | STRING |
| action | STRING |
| asset | STRING |
| client_mac | STRING |
| custom_data | {} |
| host | STRING |
| ip | STRING |
| r7_context | |
| host | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_data | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
Host to IP event type code block
IDS Alert
ids
| Key | Value format |
|---|---|
| asset | STRING |
| category | STRING |
| community_id | STRING |
| description | STRING |
| destination_bytes | STRING |
| destination_ip | STRING |
| destination_port | STRING |
| destination_packet_count | STRING |
| ids_app_protocol | STRING |
| ids_app_protocol_info | STRING |
| ja3 | |
| hash | STRING |
| string | STRING |
| ja3s | |
| hash | STRING |
| string | STRING |
| serial | STRING |
| subject | STRING |
| version | STRING |
| issuerdn | STRING |
| notafter | STRING |
| notbefore | STRING |
| fingerprint | STRING |
| source_data | STRING |
| source_json | STRING |
| timestamp | STRING |
| ids_flow_initiated | TIMESTAMP |
| protocol | STRING |
| severity | STRING |
| signature | STRING |
| signature_revision | STRING |
| source_bytes | STRING |
| source_ip | STRING |
| source_packet_count | STRING |
| source_port | STRING |
| timestamp | TIMESTAMP |
| total_bytes | STRING |
| total_packet_count | STRING |
| user | STRING |
IDS Alert event type code block
Ingress Authentication
ingress_auth
| Key | Value format |
|---|---|
| account | STRING |
| authentication_target | STRING |
| custom_data | {} |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| mobile_device_id | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| result | STRING |
| service | STRING |
| service_address | STRING |
| source_data | STRING |
| source_ip | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
| user_agent | STRING |
| user_domain | STRING |
Ingress Authentication event type code block
Network Flow
flow
| Key | Value format |
|---|---|
| app_protocol | STRING |
| app_protocol_description | STRING |
| community_id | STRING |
| destination_address | STRING |
| destination_asset | STRING |
| destination_bytes | STRING |
| destination_packet_count | STRING |
| destination_port | STRING |
| destination_user | STRING |
| direction | STRING |
| first_packet_time | TIMESTAMP |
| flow_initiated | TIMESTAMP |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| mobile_device_id | STRING |
| last_packet_time | TIMESTAMP |
| r7_context | |
| source_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| destination_asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| source_address | STRING |
| source_asset | STRING |
| source_bytes | STRING |
| source_port | STRING |
| source_json | STRING |
| source_packet_count | TIMESTAMP |
| source_user | STRING |
| timestamp | TIMESTAMP |
| total_bytes | STRING |
| total_packet_count | STRING |
| transport_protocol | STRING |
Network Flow event type code block
SSO
sso
| Key | Value format |
|---|---|
| user | STRING |
| account | STRING |
| service | STRING |
| source_ip | STRING |
| timestamp | TIMESTAMP |
| geoip_city | STRING |
| source_json | {} |
| geoip_region | STRING |
| sso_provider | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
SSO event type code block
Third Party Alert
third_party_alert
| Key | Value format |
|---|---|
| alert_id | STRING |
| asset | STRING |
| custom_data | {} |
| description | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| product | STRING |
| severity | STRING |
| source_data | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| title | STRING |
| type | STRING |
| user | STRING |
Third Party Alert event type code block
Virus Alert
virus
| Key | Value format |
|---|---|
| account | STRING |
| action | STRING |
| action_status | STRING |
| asset | STRING |
| custom_data | {} |
| error_code | STRING |
| error_description | STRING |
| file_path | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| account | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| risk | STRING |
| source_address | STRING |
| source_data | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| user | STRING |
| user_domain | STRING |
Virus Alert event type code block
Web Proxy Activity
web_proxy
| Key | Value format |
|---|---|
| asset | STRING |
| custom_data | {} |
| destination_ip | STRING |
| geoip_city | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_organization | STRING |
| geoip_region | STRING |
| http_method | STRING |
| incoming_bytes | STRING |
| is_blocked | STRING |
| outgoing_bytes | STRING |
| public_suffix | STRING |
| r7_context | |
| user | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| domain | STRING |
| asset | |
| rrn | RRN |
| name | STRING |
| type | STRING |
| scheme | STRING |
| source_data | STRING |
| source_ip | STRING |
| source_json | {} |
| timestamp | TIMESTAMP |
| top_private_domain | STRING |
| url | STRING |
| url_host | STRING |
| url_path | STRING |
| url_query | STRING |
| user | STRING |
| observation_count | NUMERIC |
| first_observed_time | TIMESTAMP |
| last_observed_time | TIMESTAMP |
| user_agent | STRING |
| user_domain | STRING |
This event type contains deduplicated data.
Web Proxy event type code block
Web Server Access
web_server_access
| Key | Value format |
|---|---|
| timestamp | TIMESTAMP |
| source_address | STRING |
| geoip_organization | STRING |
| geoip_country_code | STRING |
| geoip_country_name | STRING |
| geoip_city | STRING |
| geoip_region | STRING |
| server_address | STRING |
| url_host | STRING |
| http_method | STRING |
| url_path | STRING |
| response_status | STRING |
| outgoing_bytes | STRING |
| user_agent | STRING |
| referer | STRING |
| forwarded_for | STRING |
| auth_user | STRING |
Web Server Access event type code block
Detection-based Event Types
Anomalous Data Transfer
anomalous_data_transfer
| Key | Value format |
|---|---|
| analysis_hour_destinations | |
| city | STRING |
| dst_addr | NUMERIC |
| dst_port | NUMERIC |
| hostname | STRING |
| cert_name | STRING |
| country_code | STRING |
| organization | STRING |
| dst_bytes_human | STRING |
| src_bytes_human | STRING |
| dst_bytes_percent | NUMERIC |
| src_bytes_percent | NUMERIC |
| analysis_hour_stats | |
| bytes_ratio | STRING |
| num_destinations | NUMERIC |
| incoming_bytes_human | STRING |
| outgoing_bytes_human | STRING |
| num_destination_ports | NUMERIC |
| date | TIMESTAMP |
| source_addresses | STRING |
| source_asset_id | UUID |
| source_asset_names | STRING |
Anomalous Data Transfer event type code block
Audit Logs
The audit logs in InsightIDR capture a chronological view of every action taken in relation to a particular object, such as an investigation or alert. You can use Log Search to query the data in the audit log.
The log sets that are generated from the audit log originate from actions taken in InsightIDR, rather than event sources or the Insight Agent, so they don’t have event types.
InsightIDR Investigations
| Key | Value format |
|---|---|
| time | TIMESTAMP |
| action | STRING |
| audit_id | STRING |
| result | STRING |
| access_method | STRING |
| product | STRING |
| description | STRING |
| service_info | |
| investigation_id | STRING |
| investigation_name | STRING |
| investigation_type | STRING |
| investigation_rrn | RRN |
| assigned_user | STRING |
| assignee_login | STRING |
| request | |
| user_agent | STRING |
| geo_location | |
| organization | STRING |
| country_name | STRING |
| country_code | STRING |
| city | STRING |
| region | STRING |
| ip | STRING |
| user | |
| STRING | |
| name | STRING |
InsightIDR Investigations code block
InsightIDR Alerts
| Key | Value format |
|---|---|
| time | TIMESTAMP |
| action | STRING |
| audit_id | STRING |
| result | STRING |
| access_method | STRING |
| product | STRING |
| description | STRING |
| service_info | |
| alert_id | STRING |
| alert_name | STRING |
| alert_type | STRING |
| alert_rrn | RRN |
| assigned_user | STRING |
| assignee_login | STRING |
| request | |
| user_agent | STRING |
| geo_location | |
| organization | STRING |
| country_name | STRING |
| country_code | STRING |
| city | STRING |
| region | STRING |
| ip | STRING |
| user | |
| STRING | |
| name | STRING |
InsightIDR Alerts code block
Did this page help you?